> On 13/03/2023 15:24 EET Serg <me at at.encryp.ch> wrote:
>
>
> Hello, is there any way to disallow client-initiated renegotiation at
> the dovecot? I haven't found any mention of this feature within source
> code as well as at the documentation.
>
> I am asking about it because without this feature mail server is
> vulnerable to a TLS renegotiation DoS attack which can consume a lot of
> CPU and is harder to combat comparing to a basic TLS connections flood.
There is no dovecot config option. However, you can use e.g.
/etc/ssl/openssl.cnf to disable this (or whatever the default file in your
system is):
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = NoRenegotiation
Aki